Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Previous patches for the vulnerability, which surfaced last Wednesday, were rushed out to Linux distributions. Some had to be pulled back for being incomplete. Red Hat, which produced one of the first fixes and had early details about the flaw’s criticality, pushed out another fix for its flavors of Linux Friday morning.

Apple sent Threatpost a statement on Friday after reports of exploits in the wild were rampant. “With OS X, systems are safe by default and not exposed to remote exploits of bash unless users configure advanced UNIX services,” said an Apple representative. “We are working to quickly provide a software update for our advanced UNIX users.”

The update comes after reports of exploits targeting the vulnerability were cultivating bots for a distributed denial-of-service botnet. Researchers at AlienVault Labs, for example, captured two distinct samples in a honeypot, one a Linux both packed with information-stealing capabilities and a list of default username-password combinations, and the other a Perl bot that opens a backdoor and leaves compromised machines in line for additional commands and malware from a centralized server.

Most of the activity detected by Incapsula was scans for vulnerable systems and attempts to gain shell on a vulnerable server in order to hijack it.

Bash is the most common command-line shell program on Linux and UNIX machines. The vulnerability in Bash, also known as Shellshock, allows an attacker to remotely attach a malicious executable to an environment variable that is automatically executed when Bash is invoked.

“Lots of stuff calls Bash and I would bet you there are things in most environments that call Bash and you don’t even know they’re doing it,” Red Hat’s Josh Bressers said. “We did a ton of analysis on various things Red Hat ships that we decided were a high risk. It’s one of those situations where there are infinite variants you have to deal with. Heartbleed, for example, was easy to understand and all were affected the same way.”

“No two systems are affected the same way here. Upgrade Bash and don’t mess around,” Bressers said. “Even if you think you’re OK, you’re probably not.”

Bressers said the vulnerability allows an attacker to create environment variables that include malicious code before the system calls the Bash shell.

Discussion

Big improvement compared to iCloud, Flashback, Finfisher and Goto Fail issues, of course they only pass Bash on from the open source community which they learned how to do that really fast after Flashback pwned Cupertino HQ via outdated Java 6.
With only 4% of computers using a secure OS X version and XServer dead. Would it have made any difference really if they didn't bother to fix it?
Kind of like closing the barn door after the market share horse already escaped.

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.